Scarab ransomware is a malicious virus that employs sophisticated AES-256 and RSA-2048 algorithms to lock personal information on the targeted computer. The malware was spotted for the first time in June 2017, and since then has been returning with new versions. According to the latest claims, it can belong to the same developer as Animus ransomware as it has been using the same email address as the latter cryptovirus. Sadly, only a few versions of this cyber threat can be decrypted. As soon as Scarab ransomware locks files by using a specific extension, it drops a ransom note and demands a ransom to be paid for the key that can unlock data. Latest variants of malware include Scarab-Recovery, Scarab-Turkish, Scarab-Barracuda, and .anonimus.mr@yahoo.com file extension virus.

Dr. Web announced that some of the files encrypted by Scarab can be decrypted. Users should send an email to emte@adc-soft.com with few examples of affected data together with the ransom note

ElIMINATION

Manual removal is not possible. To get rid of ransomware and its variants, download Reimage and run a full system scan

This ransomware[1] is not an ordinary crypto-virus – it was found to use Necurs botnet[2] to spread around. Having in mind that it is a largest spam botnet, the possibility to get infected with Scarab increases greatly. In addition, some variants are spread via fake Flash Player and use exploit kits to get into the affected machines all over the world.

Right after the infiltration, the virus encrypts video, music, picture, document and similar personal data by using symmetric and asymmetric encryption algorithms. You can find files encrypted by ransomware by looking at the appendix of your files. If they have .scarab file extension, .scorpio, and similar suffixes, they are encrypted and you won't be capable of using them.

Scarab reappeared in August 2018

Experts are considering Scarab virus as one of the most aggressive cyber threats. The recent reports have announced that the virus is using .anonimus.mr@yahoo.com file extension to mark locked data. After encrypting files, it requires using the same email address to contact its developers.

Previously, virus recovered its activity at the end of March 2018. This time, it was using .amnesia file extension. Upon successful encryption, the ransomware generates a ransom note called HOW TO RECOVER ENCRYPTED FILES.TXT or similar which instructs the victim to pay the ransom within 72 hours in Bitcoins.

Crooks did not stop with the Amnesia ransomware – at the beginning of April 2018 ransomware researchers publicly announced the new version dubbed as Scarab-Decrypts. Just like its ancestors, it renders AES-256 cipher to lock files and practice the same distribution techniques. However, it can be distinguished from the rest of the others by .decrypts@airmail.cc or .decryptsairmail.cc file extensions, and the HOW TO RECOVER ENCRYPTED FILES-decrypts@airmail.cc.TXT ransom note.

At the end of May 2018, a new variant of malware emerged. The encryption and functionality of the virus remain the same. However, the new version adds .infovip@airmail.cc file extension to the targeted data. Following the encryption, it also delivers a ransom note that is named similarly as the previous ones: HOW TO RECOVER ENCRYPTED FILES-infovip@airmail.cc.TXT. However, it's needed to follow criminals' instructions. The virus seems to be decryptable.

The image of Scarab virus ransom note.

Yet another version of Scarab ransomware was also released at the end of May. It appends .diskdoktor file extension and asks to send unique ID number to DiskDoctor@protonmail.com email address. More information about data recovery is presented in HOW TO RECOVER ENCRYPTED FILES.TXT file. However, the message is nearly identical to the ones we have already seen in previous versions of malware.

Additionally, Scarab reappeared in June 2018 which is using .fastrecovery@airmail.cc file extension to mark each of the affected files. The virus drops a ransom note HOW TO RECOVER ENCRYPTED FILES-fastrecovery@airmail.cc.TXT into each folder which explains about files' encryption using RSA-2048 cipher. The only way to recover locks files is said to be a special decryprion key that is stored by criminals on a remote server.

Later on, cybersecurity experts detected a new variant using .leen file extension. Victims are provided with INSTRUCTIONS FOR RESTORING FILES.TXT ransom note where hackers are urging to contact them via mr.leen@protonmail.com email address for the decryption software. The message states the following:

Contact us using this email address: mr.leen@protonmail.com

Free decryption as guarantee!Before paying you can send us up to 3 files for free decryption.The total size of files must be less than 10Mb (non archived), and files should not containvaluable information (databases, backups, large excel sheets, etc.).

Scarab-Amensia is a crypto-malware which has emerged from the initial Scarab ransomware.

A few days later, another variant released. This time, the filemarker scheme is slightly different. Yet, the ransomware appends .xmail@cock.li extension to the compromised data and drops Recover files-xmail@cock.li.TXT ransom note. Recent versions are using AES cipher to lock personal files and are attaching different file extensions, including .danger and .btcking.

Note that Scarab ransomware decryptor has not been yet created, so it is quite difficult to retrieve files back. However, in April 2018, Doctor Web announced[3] that some cases of ransomware can be decrypted. For that, victims should send the ransom note HOW TO RECOVER ENCRYPTED FILES – decrypts@airmail.cc.TXT and 3-4 encrypted files to the email emte@adc-soft.com. If infected with any of these versions, try this method for files' decryption. If it does not work for you, jump to the end of this post to use other methods for data recovery. However, make sure you remove Scarab ransomware before this procedure.

Virus functionality to gain income

Originally, the ransom note of Scarab virus is using the Russian language, but its latest versions are using the note translated into English. Typically, it reads:

*** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS ***Your files are now encrypted!

—– BEGING PERSONAL IDENTIFIER ————-

—– END PERSONAL IDENTIFIER ——————

All your files have been encrypted due to a security problem with your PC.

Now you should send us email with your personal identifier.This email will be as confirmation you are ready to pay for decryption key.You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.After payment we will send you the decryption tool that will decrypt all your files.

Contact us using this email address: [email address]

Free decryption as guarantee!Before paying you can send us up to 3 files for free decryption.The total size of files must be less than 10Mb (non archived), and files should not containvaluable information (databases, backups, large excel sheets, etc.).

[……]

To gain users' trust, the developers are offering free decryption of three files up to 1 MB in size. However, felons do not indicate the sum of the ransom but rather urge affected users to contact them as soon as possible since the deadline for the ransom payment ends after 72 hours.

Following these orders is not recommended. Cybercriminals cannot be trusted in any way, so after paying the ransom you may be left without both money and files. Security experts recommend victims to remove Scarab ransomware instead using a professional anti-malware tool, like Reimage or Plumbytes Anti-MalwareMalwarebytesMalwarebytes.

.scorpio file extension virus is an upgraded version of Scarab ransomware.

Once you complete the Scarab removal, you will be able to recover the biggest or even all of encrypted files using third-party data recovery tools. You can find a comprehensive decryption tutorial at the end of this article. Alternatively, you can email few encrypted files to Dr.Web (emte@adc-soft.com) and see if security experts can decrypt files for you.

The ransom note of the virus is typically instructing the victim to provide the personal identifier and contact the felons via provided email address. Updated variants of Scarab virus have been using different email addresses for communication with victims. Currently, known emails used by criminals are:

The list of Scarab versions

Scarab ransomware has been appearing with new versions since last year. Recently, it came to researchers' attention as the malware that receives updates pretty much each month. At the moment, there are twenty different members of this money extortionist family that are listed below.

Scorpio ransomware

Scorpio ransomware is believed to be the first new update to the original variant of Scarab ransomware. The most noticeable features of this virus are its ability to crack the computer in multiple different stages.

Firstly, it settles on the computer with the help of bogus scripts executed via Command Prompt Admin. The next phase encompasses data encryption. Scorpio ransomware scans the system for targeted files, applies AES cipher to lock them, and eventually appends .[Help-Mails@Ya.ru].scorpio file extension to distinguish them from the others. The final phase is informative. Scorpio virus generates a ransom note named IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.txt. The file contains a unique victim's ID, and contact information, including email address (Help-Mails@Ya.Ru and alexous@bk.ru).

Scarab-Crypto ransomware

Scarab-Crypto is the name of the next Scarab ransomware version detected in the second half of March 2018. Just like its ancestors, it uses AES cryptography and targets the most popular file types. Its distinctive feature is a .crypto file extension and HOW TO RECOVER ENCRYPTED FILES.TXT file. It instructs the victim to email Scarab-Crypto ransomware developers via anticrypto@protonmail.com and indicate a personal identification number.

Extortionists should subsequently unlock two files encrypted by Scarab-Crypto for free to claim their trustworthiness. The sum of the payment is not revealed in the note, but the victim is demanded to initiate a transaction via Bitcoin wallet asap to get a decryptor.

Cybercriminals developed a new version, called Scarab-Cryptor.

Scarab-Amnesia

Spotted at the end of March 2018, this new version spreads via Necurs botnet and executed its payload when the potential victim extracts a 7Zip email attachment. Likewise other Scarab versions, it uses AEX-256 encryption algorithm. However, it can easily be distinguished from the rest of Scarab versions by an .amnesia file extension added to locked files. The list of targeted files:

Scarab-Amnesia ransomware informs its victims about the current situation and the steps he or she has to take to decrypt files on a HOW TO RECOVER ENCRYPTED FILES.TXT file. Typically, it is stored on the desktop, but can also be found on random folders that contain files with .amnesia file extensions.

Scarab-Please ransomware

At the end of March 2018, security experts discovered Please ransomware that is using AES encryption to modify targeted files. It is appending .please file extension to target data and dropping a ransom note “HOW TO RECOVER ENCRYPTED FILES.TXT” on a desktop. This message informs the victim to use an email called decry1@cock.li or decry2@cock.li to contact its developers and get further instructions needed for the recovery of affected files. Cybercriminals are also claiming that the victim can test the decryption procedure to ensure that it is possible. However, we do not recommend contacting hackers. Ransomware also can make changes to Windows registry key so this is better be deleted soon.

Scarab-Decrypts ransomware

It is yet another version of ransomware. It's more or less similar to its ancestors, though exhibits different file extensions and the ransom note. Written on Delphi, it takes advantage of AES-256 cipher to attack victim's files and render them useless by altering their file extension.

Following the encryption phase, each locked file gets either .decrypts @ airmail.cc or .decryptsairmail.cc file extension. Consequently, the owner cannot dispose of them in any way. The Scarab-Decrypts ransomware provides its victims with a ransom note called HOW TO RECOVER ENCRYPTED FILES-decrypts@airmail.cc.TXT. It does not say much, except that the files have been encrypted and provides an email address which asks the victim to contact to decrypts@airmail.cc and provide a unique identification number for further instructions. You can see an example of the Scarab-Decrypts ransom note below.

Scarab-Decrypts is a different version of the original virus.

Scarab-Horsia

Horsia ransomware version was spotted at the beginning of May 2018. Disguised under 7Zip and otherwise named email attachments, the ransomware targets English-speaking PC users. Once it's installed, malicious processes start running in the background to protect the Horsia ransomware from removal.

Encrypted files are easy to notice as they get .horsia@airmail.cc file extension, which cannot be modified manually. Besides, each folder, including the desktop, contains a HOW TO RECOVER ENCRYPTED FILES.TXT file explaining the current situation, including payment and contact information. The full ransom note reads as follows:

Scarab-Walker

This version of the dangerous cyberthreat and was spotted by security experts shortly after Horsia variant came out. Just as all previous versions, Walker ransomware users AES cryptography to encrypt files. It changes all media, video, text and other personal files and makes them unusable by adding .JohnnieWalker extension.

As usual, after data encryption, Scarab-Walker virus drops a ransom note in the .txt format, explaining the situation to the user. Hackers demand payment in Bitcoins. Soon after the ransom is paid, users are prompted to e-mail JohnnieWalker@firemail.cc and include their personal ID. Additionally, cybercrooks offer to unlock one file to prove that data is decryptable.

Scarab-Walker is another variant of the virus which has started spreading in the middle of 2018.

Scarab-Osk

Scarab-Osk is encrypting data by using AES cipher. It is using .osk extension to mark every affected file. Hackers ask for 0.013 Bitcoin in HOW TO RECOVER ENCRYPTED FILES.txt message to be paid and then email sent to translatos@protonmail.com for further instructions and the decryptor. As usual, we advise refraining yourself from contacting cybercrooks and restore all encoded data using a backup.

Scarab-DiskDoctor ransomware

DiskDoctor ransomware is still encrypting files with the same AES-256 encryption algorithm. Differently from previous variants, this one appends .DiskDoctor file extension to the targeted files. But it still displays data recovery instructions in the text file called “HOW_TO_RECOVER_ENCRYPTED_FILES.txt.”

In the ransom note, crooks demand to contact them via DiskDoctor@protonmail.com email address in order to learn about data recovery possibilities. However, we do not recommend trying to get back your files in this way. Crooks will demand to transfer a few hundreds of dollars in Bitcoins in order to get a decryption tool. However, once you make a transaction, they might disappear and never give you a needed tool. Hence, you should remove DiskDoctor from the computer ASAP.

Scarab-DiskDoctor is another variant of ransomware that adds .DiskDoctor extension to the files and still blackmails into paying the ransom

Scarab-Good ransomware

In June 2018, researchers detected a few version of Scarab and this one is decryptable with Dr. Web. “.good” is a file extension that virus adds to modified files and “filedecryption@prorotnmail.com” is the contact email address. As typical for the Scarab family ransom note is placed in file “HOW_TO_RECOVER_ENCRYPTED_FILES.txt.”. This contains information about encryption and what to do but no specifics about the ransom or decryption. This virus version came to the light alongside other ones.

Leen ransomware

Just like its name suggests, Leen ransomware is using “.leen” to each of the files that become modified. As soon as that is complete, a ransom note is placed in every folder. “INSTRUCTIONS FOR RESTORING FILES.TXT.” contains information about this certain attack. Cybercriminals demand unspecified payment in Bitcoins and suggest victims contact them via email “mr.leen@protonmail.com.” in order to get a key or more information.

Danger ransomware

Danger ransomware is decryptable with Dr. Web, but it is different from the most of the members in the family because this version uses RSA-2048 encryption algorithm. “.fastrecovery@xmpp.jp” is a file extension that this virus adds after the modification is complete. Typical “HOW_TO_RECOVER_ENCRYPTED_FILES.txt.” ransom message placed on pretty much every folder on the PC. Information about changing contacts and encryption method is the main useful things in the note. No specific ransom amount just email address “fastrecovery@xmpp.jp” that changes after three days.

Oneway ransomware

Difficult weeks in the cyber-security world while Scarab develops new variants each week. This version is targeting Russian-speakers because while this adds “.oneway” file extension the ransom note called “Расшифровать файлы oneway.TXT.” Email address “bm15@horsefucker.org” is provided in the message and the note contains more information about test decryption and the attack itself.

Scarab- BtcKING ransomware

BtcKING ransomware came with more similar patterns. Encryption is done in a similar way and “.BtcKING” file extension looks like other previous versions. Also, this variant places ransom message called ” How To Decode Files.txt” on every existing folder on the system and desktop. This ransomware also came in June 2018 alonside other dangerous versions.

Scarab-Horsia virus "congratulates" its victims with the infection.

Bomber ransomware

Another ransomware targeting Russian victims. This ransomware appends photo, video, text and other files with “.bomber” file extension so it is easily detected which ones are modified. After this encryption process is completed virus creates a ransom note “HOW recover encrypted FAYLY.TXT” and you can have more details about the attack. This is placed on your desktop and in every folder where you can find modified files. This version displays soft2018@tutanota.com; soft2018@mail.ee; newsoft2018@yandex.by as possible contact emails.

JungleSec ransomware

JungleSec version of Scarab has more specific details. Encryption is done while appending “.jungle@anonymousspechcom” extension to modified files. And after that ransom note, “ENCRYPTED.md” is placed in multiple places on the system. In this file, you can discover that virus developers demand certain 0.3 in Bitcoin and state their contact email as “junglesec@anonymousspeech.com” which you are suggested to contact after the payment is done. This version has no decryption option.

Recme ransomware

Recme ransomware is one of the newest variants discovered in late June of 2018, with classical Scarab encryption patterns. After the encryption process, during which “.recme” file extension is placed on your photos, videos, text or archive files, this ransomware creates ransom message called “HOW_TO_RECOVER_ENCRYPTED_FILES.txt.”. In this message, you can find more details about the cyber attack.

Scarab-Dan ransomware

This version of Scarab ransomware came alongside the previous five is the one that adds “.dan@cock.email” file extension to targeted files. These can be anything from images, photos or videos to text files or even archives. After this modification is complete you can find ransom note file “HOW TO RECOVER ENCRYPTED FILES-dan@cock.emai.TXT”. This is a ransom message that often contains various information about the initial attack and instructions for the victim.

Scarab-Recovery ransomware

Scarab-Recovery came out in early July 2018. The virus is written in Delphi programming language and uses AES to lock up data. The crypto-virus adds .BD.Recovery extension to each of the affected file and drops ransom note “HOW TO RECOVER FILES.TXT” which states that victims should email crooks via bd.recovery@aol.com or bd.recovery@india.com. However, hackers should never be contacted as it can result in a loss of money.

Scarab-Turkish ransomware

As the name suggests, this version of Scarab focuses on Turkish PC users. However, all the Turkish characters were replaced by English letters, making it impossible to understand. The virus uses AES to encrypt data and ads [Firmabilgileri@bk.ru] appendix to each of the affected files, which is also a contact email of cybercriminals. As usual, we suggest you ignore cybercrooks and remove Scarab-Turkish from your machine ASAP.

Scarab-Barracuda ransomware

The latest variant of crypto-virus is dubbed Scarab-Barracuda because it encrypts files and adds .BARRACUDA file extension. The virus is closely related to Scarab-Rebus and can be decrypted. Therefore, do not waste your money and do not pay cybercrooks. Merely contact security experts who can help to decode data. Unlike many other versions, Barracuda ransomware drops a ransom note which includes its name in it – BARRACUDA RECOVERY INFORMATION.TXT. Cybercriminals are trying their best to scare users with the following:

Attention!Do not attempt to remove a program or run the anti-virus toolsAttempts to decrypt the files will lead to loss of Your dataDecoders other users is incompatible with Your data, as each user unique encryption key

Hackers are taking advantage of the infamous Necurs botnet to distribute the virus

Necurs botnet is infamous for the distribution of different ransomware-type infections. In November, cybersecurity experts have also detected it spreading Scarab virus[4]. Criminals are aiming to affect computers located in[5]:

Australia;

Germany;

United Kingdom;

France.

At the moment of writing, the botnet already sent about 12.5 million emails with a malicious 7Zip archive with the Visual Basic script that downloads and executes the third version of the virus.

These subject line of these emails are made by this scheme: “Scanned from [printer/scanner company name].” Currently, the most popular versions of titles are:

Scanned from Lexmark;

Scanned from Canon;

Scanned from HP;

Scanned from Epson.

The infected archive itself is named image2017-11-23-4360760.7z. However, the name of this file might change based on the distribution data. Therefore, users are advised to be careful and watch out emails sent from copier@[your email address or company’s domain].

Spam emails is yet another method used to spread Scarab

The authors of this crypto-malware continue to distribute the virus in the old-school way which relies on malicious spam emails[6]. Cybersecurity experts have detected an enormous wave of malicious emails distributed with the help of Necurs botnet in the late 2017. The content of the letter included VBS scripts disguised as innocent scanned documents in 7Zip archive.

Therefore, users should be aware of potential dangers that might be sent straight to the inbox. Keep in mind that if you do not retain rational thinking and cautiousness, no anti-virus will be able to save you from Scarab hijack or another malware infiltration. In addition, note that some hackers still use old trickery: visiting a corrupted site, you may notice a fake alert prompting to update your Java or Adobe Flash Player.

The only way to get rid of Scarab ransomware is a reliable malware removal tool

Our security experts understand how threatening it might seem to lose encrypted data by trying to remove Scarab ransomware. Although, the only way to decrypt files without paying the ransom is to get rid of this cyber threat with a robust antivirus. We suggest using Reimage, MalwarebytesMalwarebytesCombo Cleaner. or Plumbytes Anti-MalwareMalwarebytesMalwarebytes. Afterward, you will be able to try alternative data recovery methods presented below.

In case you cannot launch your security software, take a look at the bottom instructions. They should help you launch it and overcome this issue. However, note that cybersecurity application does not decode files and can help you only for Scarab ransomware removal.

What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.

Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Scarab removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

When a new window shows up, click Next and select your restore point that is prior the infiltration of Scarab. After doing that, click Next.

Now click Yes to start system restore.

Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Scarab removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Scarab from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Scarab, you can use several methods to restore them:

Follow the steps of Data Recovery Setup and install the program on your computer;

Launch it and scan your computer for files encrypted by Scarab ransomware;

Restore them.

The benefit of Windows Previous Versions

This method might be effective for restoring encoded data if System Restore was previously enabled. On the other hand, some users may find it inconvenient as they have to go through each file and perform the following steps.

Find an encrypted file you need to restore and right-click on it;

Select “Properties” and go to “Previous versions” tab;

Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Scarab malware and ShadowExplorer

The latest version of the virus is designed to delete Shadow Volume Copies. However, if you are extremely lucky and it did not delete them, you should try ShadowExplorer for data recovery.

Follow a Shadow Explorer Setup Wizard and install this application on your computer;

Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;

Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Scarab decryptor is not available yet

The official Scarab decryptor still hasn't been released as of April 2018. However, Dr. Web announced that file decryption for some Scarab versions is possible. Therefore, you can send few encrypted files to emte@adc-soft.com (together with ransom note) and see if security experts can help you.